web analytics

Even $5M a year can’t keep top CISOs happy – Source: www.csoonline.com

even-$5m-a-year-can’t-keep-top-cisos-happy-–-source:-wwwcsoonline.com
Rate this post

Source: www.csoonline.com – Author:

Many CISOs in large enterprises are unhappy with both their compensation and the resources they’re given to secure the business; despite this, they’re aiming to move higher.

At least one lucky US CISO earned around $5 million last year, according to a new survey, but the reality is that the average compensation for CISOs at the largest US enterprises was nearer $500,000 — and despite the good money, many were dissatisfied.

The numbers come from the 2025 annual CISO Compensation and Budget survey, conducted jointly by IANS and Artico Search, which also offers some guidance to CISOs to help guide their career path towards working for bigger organizations.

Just over 860 CISOs were surveyed between April and December 2024, and the authors focused their study on the 406 respondents working in the US for enterprises with revenue over $1 billion a year, excluding governmental and non-governmental organizations that can’t offer equity as part of their compensation. Respondents were the most senior leaders in their respective cybersecurity organizations; for simplicity the study collectively calls them chief information security officers. Just over 90% worked in the US.

A look at compensation

While a few respondents reported earning $5 million a year (including bonuses and equity), the median CISO received $532,000 in total compensation.

The highest-paid CISOs are responsible for seven- to eight-figure security budgets, and oversee teams of more than 200, the report points out. Their compensation generally includes annual equity grants averaging around $300,000, says the report, with those in the top 1% receiving multimillion-dollar equity awards each year.

“These compensation differences reflect the greater strategic responsibilities, broader scope and scale, and rarity of talent among the top 10% of CISOs skilled in running complex security programs and delivering enterprise-wide impact,” says the report.

Nick Kakolowski, senior research director at IANS, wouldn’t say how many of the group earned over $5 million in compensation. He did point out that they are in the top 1% of the market. “Due to the relatively small size of the sample, we also aren’t going to reveal the specific breakdown of their compensation packages to avoid situations where that data could be traced back to individuals,” he explained. “That said, anecdotally, in the marketplace we typically see the annual cash compensation packages top out at around $1M, with the rest of the compensation package made up of equity.”

Some are unhappy with budgets too

Not all CISOs working at large enterprises are happy with their six-figure salaries. According to the survey, only 55% of respondents working for $20 billion-plus firms were satisfied with what they were being paid – and that group was the least satisfied of all questioned with what they were making. The most satisfied group was those working for organizations that had between $5 billion and $20 billion in revenue: 63% said they were satisfied.

“Both $20B+ and $1B – $2B CISOs reported below average satisfaction with their compensation, though for different reasons,” says the report.

CISOs in the $20B+ segment likely compare their pay to that of other executive leaders within their organizations and consider their compensation insufficient given the demands and increasing scope of their roles, it argues.

CISOs in the $1B – $2B group, meanwhile, may feel their compensation is falling behind that of their peers in the wider large enterprise segment, it adds. This group is also the most dissatisfied with its level of visibility and engagement with the board, corresponding to the outsized share (24%) of CISOs in this segment reporting having little-to-no board engagement.

Only 58% of CISOs at the biggest organizations were happy with the budget they can spend. The least satisfied (51%) were those working for organizations with revenues between $1 billion and $2 billion.

“Satisfaction with budget received the lowest ratings overall, particularly among CISOs in the $1B – $2B and $5B – $20B segments—a reflection of frustration at being expected to do too much with not enough resources,” says the report.

A challenging transition point

Few of the respondents said they had an executive title; only one-third had a title such as executive or senior VP, 39% had a VP rank, while 29% held the title of director. Those in these two categories likely have less visibility, authority and impact on strategic decision-making, says the report.

Most respondents said they reported to the CIO or chief technology officer (CTO), while a small number report to a chief regulatory officer. Only 10% of $20B+ CISOs indicated they report directly to the CEO.

“What certainly popped [from the survey results] is how difficult the job ends up being for CISOs who work in that $1 billion to $5 billion range,” Kakolowski of IANS said in an interview. “What we see when we put together the job satisfaction data, data about their job skills, certifications, and compensation is they are at a very challenging transition point within the business. They are often treated — as in smaller organizations — as more functional, technical professionals.”

But as the organization grows, the management team becomes more complex, the business demands become more complex. So, he concludes, CISOs at small enterprise-sized firms need to start taking a more strategic role if they want to become more functional business executives.

However, he cautions that some organizations will expect CISOs to make that transition at different stages of their careers, and some firms may not be ready for a CISO to make the move. That’s where building relationships with senior management will help.

Recommendations for career growth

“Our recommendation to CISOs looking to get those large enterprise roles is to start building those skills through a cross-functional project or initiative that is related to security, even if it isn’t something that security directly runs, to demonstrate those skills and value to the business,” Kakolowski said. That way, when the organization grows and is ready for a CISO to assume executive responsibilities, their skills are known.

The report offers three recommendations:

  • CISOs should carefully evaluate the possibility of adding new responsibilities to their job, such as digital risk and compliance or third-party risk management.
    “Taking on additional scope can better position you as a critical enterprise leader,” the report says, “but it can also be a distraction from your core cybersecurity responsibilities. Be mindful of maintaining clear boundaries and ensuring you have the necessary resources and support to effectively manage these expanded responsibilities. You can leverage meaningful increases in job scope for compensation and title advancement.”
  • to meet the possibility of shifting from a technical manager to an executive, CISOs should plan for their own soft skill development, especially in areas of communication, influence, and self-advocacy.
  • to effectively manage their career path and mobility, CISOs should evaluate potential roles not just by title or immediate compensation, but by their alignment with long-term career objectives and potential for transformational impact, the report says.
    “Be prepared to make calculated moves, potentially taking intermediate steps like moving to a larger organization’s secondary security role or transitioning through different sectors over a longer time period to build comprehensive experience,” it advises.

SUBSCRIBE TO OUR NEWSLETTER

From our editors straight to your inbox

Get started by entering your email address below.

Original Post url: https://www.csoonline.com/article/3997480/even-5m-a-year-cant-keep-top-cisos-happy.html

Category & Tags: Budget, CSO and CISO, Salaries – Budget, CSO and CISO, Salaries

Views: 2

LinkedIn
Twitter
Facebook
WhatsApp
Email

advisor pick´S post

CISO2CISO Notepad Series
How Can We Structure Cybersecurity Teams To Better Integrate Security In Agile At Scale?
How Can We Structure Cybersecurity...
OCCUPYTHEWEB
Linux Basics for Hackers by Occupytheweb
Linux Basics for Hackers by...
NIST
Digital Forensics and Incident Response (DFIR) Framework for Operational Technology (OT) by NIST – Eran Salfati and Michael Pease
Digital Forensics and Incident Response...
Think Big Blog
Top 10 TED Talks to Learn about Cyber Security
Top 10 TED Talks to...
NCSC
NCSC Cyber Security for Small Business “SMEs” Guide.
NCSC Cyber Security for Small...
Practical DevSecOps
API Security Fundamentals – Your Handy Guide to Building an Unhackable System by practical-devsecops.com
API Security Fundamentals – Your...
Vendict
The 2024 CISO Burnout Report by Vendict
The 2024 CISO Burnout Report...
Mohammad Alkhudari
Cybersecurity Strong Strategy step by step Guide collected by Mohammad Alkhudari 2024
Cybersecurity Strong Strategy step by...
Marcos Jaimovich
The Silent Spectre Haunting Your Network: QPhishing, the CISO’s Unspoken Nightmare.
The Silent Spectre Haunting Your...
Marcos Jaimovich
Goodbye to Traditional: Why Conventional Cybersecurity Tools are No Longer Sufficient for the Future of Digital Threats ?
Goodbye to Traditional: Why Conventional...
Marcos Jaimovich
Why do we compare a SOC (Security Operations Center) with the cockpit of a commercial airplane? by Marcos Jaimovich
Why do we compare a...
Joas Antonio
Security Operations Center (SOC) – Tools for Operations Development by Joas Antonio
Security Operations Center (SOC) –...

LASTEST PUBLISHED POSTS

Cyberint
Retail Threat Landscape Report Q1-Q3 – November 2024 Summary by Cyberint a Check Point Company
Retail Threat Landscape Report Q1-Q3...
NCSC
Protecting Critical Supply Chains – A Guide to Securing your Supply Chain Ecosystem
Protecting Critical Supply Chains –...
Culture AI
Time to Adapt – The State of Human Risk Management in 2024 by Culture AI.
Time to Adapt – The...
National Cyber Security Centre
Engaging with Boards to improve the management of cyber security risk.
Engaging with Boards to improve...
Microsoft Security
2024 State of Multicloud Security Report by Microsoft Security
2024 State of Multicloud Security...
bugcrowd
Inside the Mind of a CISO 2024 The Evolving Roles of Security Leaders 2024 by bugcrowd
Inside the Mind of a...
Mohammad Alkhudari
Cybersecurity Strong Strategy step by step Guide collected by Mohammad Alkhudari 2024
Cybersecurity Strong Strategy step by...
Lacework
CISO’s Playbookto Cloud Security by Lacework
CISO’s Playbookto Cloud Security by...
MITRE - Carson Zimmerman
Ten Strategies of a World-Class Cybersecurity Operations Center by MITRE
Ten Strategies of a World-Class...
SILVERFRONT - AIG
Identity Has Become the Prime Target of Threat Actors by Silverfort AIG.
Identity Has Become the Prime...
CYZEA.IO
Enterprise Information Security
Enterprise Information Security
IGNITE Technologies
ENCRYPTED REVERSE
ENCRYPTED REVERSE

More Latest Published Posts

WORLD BANK GROUP
Global Cybersecurity Capacity Program
Global Cybersecurity Capacity Program
Gary Hinson
Getting started withsecurity metrics
Getting started withsecurity metrics
EDPS
Generative AI and the EUDPR.
Generative AI and the EUDPR.
Bright
2024 Guide to Application Security Testing Tools
2024 Guide to Application Security Testing Tools
HADESS
Hacker Culture
Hacker Culture
Quuensland Govermment
RISK ASSESSMENT PROCESS HANDBOOK
RISK ASSESSMENT PROCESS HANDBOOK
Ministry of MOS Security
HIPAA SIMPLIFIED
HIPAA SIMPLIFIED
Hacker Combat
How Are Passwords Cracked?
How Are Passwords Cracked?
CIS - Center for Internet Security
How to Plan a Cybersecurity Roadmap in Four Steps
How to Plan a Cybersecurity Roadmap in Four Steps
ACSC Australia
Information Security Manual
Information Security Manual
Kaspersky
Incident Response Playbook: Dark Web Breaches
Incident Response Playbook: Dark Web Breaches
ninjaOne
Endpoint Hardening Checklist
Endpoint Hardening Checklist
HADESS
Important Active Directory Attribute
Important Active Directory Attribute
ISA GLOBAL CYBERSECURITY ALLIANCE
IIoT System Implementation and Certification Based on ISA/IEC 62443 Standards
IIoT System Implementation and Certification Based on ISA/IEC 62443 Standards
Rajneesh Gupta
IAM Security CHECKLIST
IAM Security CHECKLIST
sqrrl
Hunt Evil
Hunt Evil
Searchinform
How to protect personal data and comply with regulations
How to protect personal data and comply with regulations
Giuseppe Manco
Threat Intelligence Platforms
Threat Intelligence Platforms
CSA Cloud Security Alliance
Hardware Security Module(HSM) as a Service
Hardware Security Module(HSM) as a Service
IGNITE Technologies
CREDENTIAL DUMPING FAKE SERVICES
CREDENTIAL DUMPING FAKE SERVICES
IGNITE Technologies
A Detailed Guide on Covenant
A Detailed Guide on Covenant
NIST
Computer Security Incident Handling Guide
Computer Security Incident Handling Guide
IGNITE Technologies
DIGITAL FORENSIC FTK IMAGER
DIGITAL FORENSIC FTK IMAGER
Accedere
Cloud Security Assessment
Cloud Security Assessment
YL VENTURES
CISO Reporting Landscape 2024
CISO Reporting Landscape 2024
CISO Edition
Reporting Cyber Risk to Boards
Reporting Cyber Risk to Boards
CIOB
CIOB Artificial Intelligence (AI) Playbook 2024
CIOB Artificial Intelligence (AI) Playbook 2024
INCIBE & SPAIN GOVERNMENT
Nuevas normativas de 2024 de ciberseguridad para vehículos
Nuevas normativas de 2024 de ciberseguridad para vehículos